[Snort-users] best way to match on CIFS filenames?

Todd Wease twease at ...1935...
Fri May 23 08:14:14 EDT 2008


You can use the "nocase" option to your content.

There is no unicode normalization.  You'll have to write a unicode and
ascii rule.  Something like:

alert tcp $EXTERNAL_NET any -> $HOME_NET [445,139] (msg:"SMB unicode
rule"; flow:to_server,established; content:"|00|"; depth:1;
content:"|FF|SMB"; depth:4; offset:4; content:"f|00|i|00|l|00|e|00|";
nocase; sid:1000001;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [445,139] (msg:"SMB ascii
rule"; flow:to_server,established; content:"|00|"; depth:1;
content:"|FF|SMB"; depth:4; offset:4; content:"file"; nocase; sid:1000002;)

You might have to tune these for the different SMB commands a client can
use to open/create a file - Open, OpenAndX, NtCreateAndX, etc.


Jason Haar wrote:
> I'm trying to write a rule to capture uploads of certain filenames via 
> CIFS. However, over the years SMB became CIFS, Unicode was introduced, 
> etc, etc. Which leads to the current mess whereby my "rule" is turning 
> into "rules" as I try to figure out all the combinations.
> 
> Anyway, I was wondering if there was any built-in 'normalizing'  
> function I could use so that I could look for strings without worrying 
> about their case or unicode status.
> 
> e.g. a filename of "ntldr.exe" can be "NTLDR.EXE", "Ntldr.exE" as well 
> as "n|00|T|00|l|00|D|00|r|00|.|00|e|00|x|00|e".
> 
> I am making so many fat-finger mistakes getting that right that I'm 
> hoping the Sourcefire guys have too ;-)
> 





More information about the Snort-users mailing list